Extracted

• • Target

    RNSM00410.7z

  • Size

    21.5MB

  • MD5

    64384565c3b00fa1aab947629bbe0faf

  • SHA1

    5d9f38b51e488439883484311f5d6ed90687b39e

  • SHA256

    81b561b925c37b709ab897c4a7920494be95150ac569faf2d80d84b09278540a

  • SHA512

    1293b96c96df7f246eea0df853efc75c7ebc8876d350cee8c96986bb260b80d169341773958bbcebef7eb54534f6afd0a7452fafea74e1d6f97c0aa8c6918c07

  • SSDEEP

    393216:Utjrgx02Rx96TRbopTUo2zO9MUoJa4s+9UvIdjond3ftMqtmlorp6nQXXopG26A9:Wrgx0K96TRGELX7JifRr1X496AerE

  Score

  10^/10

  crimsonratgandcrabbackdoordiscoveryevasionexecutionpersistenceprivilege_escalationransomwarerattrojanupx

  • CrimsonRAT main payload

  • CrimsonRat

    Crimson RAT is a malware linked to a Pakistani-linked threat actor.

    ratcrimsonrat

  • Crimsonrat family

    crimsonrat

  • Disables service(s)

    evasionexecution

  • GandCrab payload

  • Gandcrab

    Gandcrab is a Trojan horse that encrypts files on a computer.

    ransomwarebackdoorgandcrab

  • Gandcrab family

    gandcrab

  • Modifies WinLogon for persistence

    persistence

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Renames multiple (188) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Downloads MZ/PE file

  • Downloads PsExec from SysInternals website

    Sysinternals tools like PsExec are often leveraged maliciously by malware families due to being commonly used by testers/administrators.

  • Modifies Windows Firewall

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Modifies file permissions

    discovery

  • Windows security modification

    evasiontrojan

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2

  • Modifies WinLogon

    persistence

  • Network Service Discovery

    Attempt to gather information on host's network.

    discovery

  • Network Share Discovery

    Attempt to gather information on host network.

    discovery

  • Drops autorun.inf file

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1